Is these port safe to be open to the internet?

[proxmoxrks]

1) Are these ports safe to be open to the internet?

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      2401/spiceproxy     
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init              
tcp6       0      0 ::1:25                  :::*                    LISTEN      1550/master         
tcp6       0      0 :::111                  :::*                    LISTEN      1/init              
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1/init              
udp6       0      0 :::111                  :::*                                1/init

2) Any guide to secure proxmox after installation?

Thanks.

 

[H4R0]

Only ports with "0.0.0.0" and ":::" will be open to the internet.

So you got 3128 (proxmox spice) and 111 (rcpbind)

I would not open either, rcpbind leaks sensitive information about running services.

And spice is used for proxmox gui console afaik. Even if its authenticated there is no meaning opening it.

 

[oguz]

hi,

1) Are these ports safe to be open to the internet?

hard to answer this question... if it makes you uncomfortable just firewall it.

2) Any guide to secure proxmox after installation?

set a good root password and enable 2FA.

install fail2ban [0]

if it's a single PVE machine, then you can set "PermitRootLogin without-password" in /etc/ssh/sshd_config (but this will cause problems if you're using a cluster) and use a key for SSH.

enable the firewalls and whitelist your IP addresses.

you can also completely block access to the GUI port from outside. with SSH portforwarding you can forward the GUI port to your local machine.

or you can set up wireguard/openvpn/etc. and make it only accessible from that interface.


hope this helps!

[0]: https://pve.proxmox.com/wiki/Fail2ban